Win32/Onescan

This family of rogue security programs pretend to scan your PC for malware, and often report lots of infections. The program will say you have to pay for it before it can fully clean your PC.

However, the program hasn't really detected any malware at all and isn't really an antivirus or antimalware scanner. It just looks like one so you'll send money to the people who made the program. Some of these programs use product names or logos that unlawfully impersonate Microsoft products.

Even if you do pay to "unlock" the app, it won't do anything because your PC isn't actually infected with all that malware it "found".

Different brands of the rogues may modify various settings on your computer, end or close programs or system services, or block access to websites.

Get more help

Threat behavior

Win32/Onescan is a family of rogue scanner programs that claim to scan for malware but display fake warnings of malicious files. The rogue then informs you that you need to pay to register the software and remove these non-existent threats from your PC.

Installation

This rogue is developed and distributed by Korean websites. The rogue can be downloaded and installed from various websites, like the following:

any<removed>.com

pri<removed>yn.com

vac<removed>com.com

wba<removed>.com

The download website might look similar to the following:

Note that the download is blocked by the SmartScreen Filter for Internet Explorer because it is known to distribute the rogue. The rogue is branded and distributed as various names including, but not limited to, the following, to avoid detection:

alphavaccine

anycop

bestvaccine

bizvaccine

bluevaccine

boandefender

boanguard

boaninfo

boankeeper

boansupporter

boanupgrade

Bootcare

checkvaccine

cleanvaccine

coolspeed

DASearch

defencevaccine

directvaccine

diskvaccine

doublevaccine

DoubleVaccine

easyboan

easyvaccine

EnPrivacy

everyclean

everyguard

EveryGuard

fastcure

fastpc

fastvaccine

firstvaccine

goodvaccine

gvaccine

HardScan

highclear

highvaccine

homevaccine

infoclear

InfoData

InfoDoctor

InfoHelper

infosaver

internetspeed

keepprotect

lifeclean

lightpc

litevaccine

livepc

livesafer

mastervaccine

microboan

multicare

multivaccine

MyKeeper

mypcclean

mysafer

myvaccine

MyVaccine

neovaccine

netvaccine

One Scan

onescan

pcboan365

PCTrouble

pcupgrade

perfectcure

pointvaccine

powerboan

powercure

primevaccine

proguard

proscan

provaccine

purevaccine

realchecker

realcleaner

realsecurity

searchvaccine

Siren114

smartmode

smartsafer

smartspeed

SmartVaccine

solutionpc

specialguard

speedcheck

speedcontrol

speedcure

speedplus

speedsolution

speedtools

speedvaccine

sweeperlab

topboan

topchecker

topvaccine

totalvaccine

UProtect

userboan

userprotect

UtilKorea

UtilMarket

vaccinecode

vaccinecom

VaccineCure

vaccinefree

vaccinehelper

vaccinekiller

vaccinenet

vaccineon

vaccinepc

vaccinepower

vaccineprogram

vaccinesafe

vaccinesafer

vaccineupdate

vaccinezero

vcboan

vcmanager

windowcure

windowguard

windowvaccine

WindowVaccine

wisevaccine

WiseVaccine

XProtect

zerocop

zvaccine

The installer creates a folder, using one of its variant names, under the %ProgramFiles% folder. In the wild, we have observed folders named in both Korean and English.

It might also store various items like configuration information, status information, and dates that various activities took place under the key HKLM\SOFTWARE\<product name> (for example, HKLM\SOFTWARE\vaccinepc).

Payload

Displays fake alerts

This rogue might display alerts on fake issues on the affected PC. The alerts could appear similar to the following:

Connects to remote websites

This rogue tries to notify the malware authors when it infects your PC by sending data strings via the web browser Internet Explorer, as in the following examples:

The malware will periodically contact the website that it was installed from and check whether a newer version is available. If so, it will download it, and replace the existing files with the newer ones, before launching the new copy.

Please note: While your feedback is very important to us, we do
not respond to individual submissions through this channel. Feedback, requests,
or questions submitted through this form are monitored, however responses are not
generated. If you require support, please visit the
Safety & Security Center.